Privacy Matters: Payment Cards Center Workshop on the Right to Privacy and the Financial Services Industry

Article excerpt

Also known as the Financial Services Modernization Act, Gramm-Leach-Bliley (GLB) allows financial institutions to engage in certain types of activities that were formerly prohibited.

In effect, GLB repealed sections 20 and 32 of the Glass-Steagall Act, which, among other things, separated commercial and investment banking. GLB also created an entity called a financial holding company (FHC). Any bank holding company that qualifies to be an FHC may engage in a broad range of finance-related activities, including underwriting insurance and securities. This closer union between banks and other financial services organizations increased concerns about how customer information gathered by financial institutions would be shared, especially with unaffiliated third parties.

The privacy provisions of GLB describe the conditions under which financial institutions (1) may disclose nonpublic personal information about consumers to nonaffiliated third parties, require such institutions to provide notice to their customers about their privacy policies, and permit the consumer to opt out of those disclosures, subject to certain exceptions. Congress has provided broad rule-making authority to eight federal agencies, each of which regulates a different aspect of the financial services industry. (2)

The agencies' privacy regulations apply to financial institutions only with respect to the nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. The privacy regulations do not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes.

Earlier this year, the Payment Cards Center of the Federal Reserve Bank of Philadelphia sponsored a workshop with Anita L. Allen, a professor of law at the University of Pennsylvania. Professor Allen, who has written and lectured extensively about the legal aspects of privacy, led a discussion with Philadelphia Fed officers and staff about privacy issues in general and privacy provisions under GLB in particular. Her remarks provided a historical timeline for these issues and a context for GLB.

To start, Professor Allen offered her definition of privacy: "modes by which people, personal information, certain personal property, and personal decision-making can be made less accessible to others." She noted further that privacy is protected not only by law but also "by cultural norms, ethics, and business and professional practices." She also listed four types of privacy: informational, physical, decisional, and proprietary. GLB privacy provisions fall mostly into the informational category. (See Types of Privacy.)

Of course, Professor Allen acknowledged that when we talk about privacy, a basic question arises: Why is it important? Because, Professor Allen stated, it involves factors such as personhood, individuality, personal and social relationships, autonomy, and tolerance, to name just a few. But, she cautioned, privacy rights are not absolute. Such rights must often be weighed against other considerations such as public health and national security. (See Privacy vs. Other Values, Needs, and Policies.)

In fact, the word "privacy" does not appear in the Constitution; however, Professor Allen noted that the Supreme Court has interpreted five of the 10 original Bill of Rights guarantees and the 14th Amendment as protective of privacy. For example, the Court has stated that the search and seizure protections of the Fourth Amendment relate not only to the physical privacy of a citizen's home but also to the informational privacy of a citizen's papers, correspondence, conversations, and electronic communications.

Professor Allen believes that mistaken ideas about citizens' rights to privacy are quite common. That's one reason she thinks people don't shop around for another bank even when they're concerned about privacy -- they assume that their depository institution protects their privacy as a matter of course. …